udp/5060 is usually SIP

udp/5060 is usually SIP traffic. Message Id 302015 is an informational syslog message and does not on its own indicate an attack. The connections in the syslogs above are being established outbound, so one of two scenarios exist.

Scenario 1 is that this traffic is necessary and required for some SIP trunking service.

Scenario 2 is that your 14.140.32.254 host has major issues.

I recommend implementing Egress filters on your ASA. During the process of implementing them (if you don't already have them) you are going to learn what is required for your network to function. At the end of the implementation you will be denying everything that is not allowed.

Post "show run access-group" and "show run access-list" if you wish so we can see what your ACLs look like.

If you think that traffic is malicious or not required then update this ACL so that udp traffic with destination of udp/5060 gets blocked. I would be careful though. It looks like this traffic may be required for a VCSE. Either way I would re-visit that ACL so that not everything is allowed out unchecked. Is there any particular reason you think this is an attack?

Dear Mr. Joe Doran,Thanks for

Dear Mr. Joe Doran,

Thanks for your reply, as per the logs sent in my first mail, the CPU utilization exceeds and the ASA Box hangs every three days, and we need to restart the box again. Thats the reason of me suspecting if its an attack happening.

We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...
view more